Reverse proxy magic

APACHECON North America
9-12 September, 2019
Apache httpd v2.4:
Reverse Proxy Magic

APACHECON North America This work is licensed under a Creative Commons Attribution 3.0 Unported License. - Jim Jagielski - @jimjag
About Me
Apache Software Foundation
Co-founder, Director Emeritus, Member and Developer
Director Emeritus
Outercurve, MARSEC-XL, OSSI, OSI (ex)…
Developer
Mega FOSS projects
O’Reilly Open Source Award: 2013
European Commission: Luminary Award
Homebrewer, Husband, Father, Friend
Open Source Chef: ConsenSys

Apache httpd 2.4
Currently at version 2.4.41 (2.4.1 went GA Feb 21, 2012)
Significant Improvements
high-performance
cloud suitability

Apache httpd 2.4 - design drivers
Support for async I/O w/o dropping support for older systems
Larger selection of usable MPMs: added event, motorz, etc...
Leverage higher-performant versions of APR
Increase performance
Reduce memory utilization
The Cloud and Reverse Proxy

Cloud and Dynamics
The Cloud is a game changer for web servers
The cloud is a dynamic place
automated reconfiguration
horizontal, not vertical scaling
self-aware environments
OK, maybe not THAT self-aware

Why Dynamic Proxy Matters
Apache httpd still the most frequently used front-end
Proxy capabilities must be cloud friendly
Front-end must be dynamic friendly

Reverse Proxy
Internet
Firewall Firewall
Cloud
Reverse Proxy Server
Transactional
Servers
Browser
Operates at the server end of the transaction
Completely transparent to the Web Browser – thinks the Reverse Proxy
Server is the real server

Features of Reverse Proxy Server
Security
Uniform security policy can be administered
The real transactional servers are behind the firewall
Delegation, Specialization, Load Balancing
Offload SSL
Issues w/ Tomcat APR/OpenSSL connector
Caching
Performance, HA

Proxy Design Drivers
Becoming a robust but generic proxy implementation
Support various protocols
HTTP, HTTPS, HTTP/2, CONNECT, FTP
AJP, FastCGI, SCGI, WSGI, UWSGI, PROXY
Load balancing
Clustering, failover
Performance

Apache httpd 2.4 proxy
Reverse Proxy Improvements
Supports FastCGI, SCGI, Websockets in balancer
Additional load balancing mechanisms
Runtime changing of clusters w/o restarts
Support for dynamic configuration
mod_proxy_express
mod_fcgid and fcgistarter
Brand New: Support for Unix Domain Sockets
Brand New: HTTP/2

Configuring Reverse Proxy
Set ProxyRequests Off
Apply ProxyPass, ProxyPassReverse and possibly RewriteRule
directives

Reverse Proxy Directives: 
ProxyPass
Allows remote server to be mapped into the space of the local
(Reverse Proxy) server
There is also ProxyPassMatch which takes a regex
Example:
ProxyPass /secure/ http://secureserver.local/ 
Presumably “secureserver” is inaccessible directly from the internet 
ProxyPassMatch ^/(.*.js)$ http://js-storage.example.com/bar/$1

ProxyPass
Can also be used in a Location block (sometimes faster)
Example:
<Location /secure/>
ProxyPass http://secureserver.local/ 
</Location>

ProxyPass
Honored in order of definition
Can bypass proxying with !
ProxyPass /local/ ! 
ProxyPass / http://secureserver.local/

ProxyPassReverse
Used to specify that redirects issued by the remote server are to be
translated to use the proxy before being returned to the client.
Syntax is identical to ProxyPass; used in conjunction with it
Example:
ProxyPass /secure/ http://secureserver/
ProxyPassReverse /secure/ http://secureserver/

Simple Rev Proxy
All requests for /images to a backend server 
 
Useful, but limited
What if:
images.example.com dies?
traffic for /images increases
ProxyPass /images http://images.example.com/
ProxyPass <path> <scheme>://<full url>

Load Balancing
mod_proxy_balancer.so
mod_proxy can do native load balancing
weight by actual requests
weight by traffic
weight by busyness
lbfactors

Create a balancer “cluster”
Create a balancer which contains several host nodes
Apache httpd will then direct to each node as specified
<Proxy balancer://foo>
BalancerMember http://www1.example.com:80/ loadfactor=1
BalancerMember http://www2.example.com:80/ loadfactor=2
BalancerMember http://www3.example.com:80/ loadfactor=1 status=+h
ProxySet lbmethod=bytraffic
</Proxy>
Balancer Name
Workers/Nodes

Some config params
For BalancerMembers:
loadfactor
normalized load for worker [1]
lbset
worker cluster set number [0]
retry
retry timeout, in seconds, for non-ready workers [60]

Some config params
For BalancerMembers (cont):
connectiontimeout/timout
Connection timeouts on backend [ProxyTimeout]
flushpackets *
Does proxy need to flush data with each chunk of data?
on : Yes | off : No | auto : wait and see
flushwait *
ms to wait for data before flushing

Some config params
For BalancerMembers (cont):
ping
Ping backend to check for availability; value is time to wait for response
status (+/-)
D : Disabled
S : Stopped
I : Ignore errors
H : Hot standby
R : Hot spare
E : Error
N: Drain
C: Dynamic Health Check fail

Some config params
For Balancers:
lbmethod
load balancing algo to use [byrequests]
stickysession
sticky session name (eg: JSESSIONID)
maxattempts
# failover tries before we bail
growth
Extra BalancerMember slots to allow for

Some config params
For Balancers:
nofailover
pretty freakin obvious
For both:
ProxySet
Alternate method to set various params
ProxySet balancer://foo timeout=10
...
ProxyPass / balancer://foo timeout=10

Connection Pooling
Backend connection pooling
Available for named workers:
eg: ProxyPass /foo ajp://bar.example.com
Reusable connection to origin
For threaded MPMs, can adjust size of pool (min, max, smax)
For prefork: singleton
Shared data held in shared memory

Some config params
For BalancerMembers - connection pool:
min
Initial number of connections [0]
max
Hard maximum number of connections [1|TPC]
smax:
soft max - keep this number available [max]

Some config params
For BalancerMembers - connection pool:
disablereuser/enablereuse:
bypass/enable the connection pool (firewalls)
ttl
time to live for connections above smax

Sessions
Sticky session support
aka “session affinity”
Cookie based
stickysession=PHPSESSID
stickysession=JSESSIONID
Natively easy with Tomcat
May require more setup for “simple” HTTP proxying
Use of mod_session helps

Sessions
From Daniel Ruggeri
LoadModule headers_module modules/mod_headers.so
<Proxy balancer://cluster>
BalancerMember http://1.2.3.4:8009 route=bar1
BalancerMember http://1.2.3.5:8009 route=bar2
ProxySet stickysession=KewlApp_STICKY
</Proxy>
Header add Set-Cookie "KewlApp_STICKY=sticky.%
{BALANCER_WORKER_ROUTE}e;path=/;" env=BALANCER_ROUTE_CHANGED
ProxyPass /foo/ balancer://cluster/foo/

Failover control
Cluster set with failover
Group backend servers as numbered sets
balancer will try lower-valued sets first
If no workers are available, will try next lbset
Hot standby
No workers available in current lbset? Use me
Hot spare
As soon as a worker goes offline, start using me

Putting it all together
<Proxy balancer://foo>
BalancerMember http://php1:8080/ loadfactor=1
BalancerMember http://php2:8080/ loadfactor=4
BalancerMember http://phpbkup:8080/ loadfactor=1 status=+h
BalancerMember http://phpexp1:8080/ lbset=1
BalancerMember http://phpexp2:8080/ lbset=1 loadfactor=2
BalancerMember http://phpexpbkup:8080/ lbset=1 status=+h
ProxySet lbmethod=bytraffic
</Proxy>
<Proxy balancer://javaapps>
BalancerMember ajp://tc1:8089/ loadfactor=10
BalancerMember ajp://tc2:8089/ loadfactor=40
ProxySet lbmethod=byrequests
</Proxy>
ProxyPass /apps/ balancer://foo/
ProxyPassReverse /apps/ balancer://foo/
ProxyPass /serv/ balancer://javaapps/
ProxyPass /images/ http://images:8080/
ProxyPass /dyno/ h2c://pappy:80/
ProxyPass /foo/ unix:/home/www.socket|ajp://localhost/bar/
lbset 0 lbset 1
foo

Mass Reverse Proxy
We front-end a LOT of reverse proxies
What a httpd.conf disaster!
Slow and bloated
mod_rewrite doesn’t help
nor does mod_macro
<VirtualHost www1.example.com>
ProxyPass / http://192.168.002.2:8080
ProxyPassReverse / http://192.168.002.2:8080
</VirtualHost>
 
ProxyPass / http://192.168.002.12:8088 
ProxyPassReverse / http://
192.168.002.12:8088
</VirtualHost>
ProxyPass / http://192.168.002.10
ProxyPassReverse / http://192.168.002.10
</VirtualHost>
.
.
.
ProxyPass / http://192.168.211.26
ProxyPassReverse / http://192.168.211.26
</VirtualHost>

Mass Reverse Proxy
Use the new mod_proxy_express module
ProxyPass mapping obtained via db file
Fast and efficient
Still dynamic, with no config changes required
micro-services? You betcha!
ProxyExpress map file
## 
##express-map.db: 
## 
 
www1.example.com http://192.168.002.2:8080 
www2.example.com http://192.168.002.12:8088 
www3.example.com http://192.168.002.10
...
www6341.example.com http://192.168.211.26
httpd.conf file
ProxyExpressEnable On
ProxyExpressDBMFile express-map.db

HeartBeat / HeartMonitor
Experimental LB (load balance) method
Uses multicast between gateway and reverse proxies
Provides heartbeat (are you there?) capability
Also provides basic load info
This info stored in shm, and used for balancing
Multicast can be an issue
Use mod_header with %l, %i, %b (loadavg, idle, busy)
but no LBmethod currently uses this :(

balancer-manager
Embedded proxy admin web interface
Allows for real-time
Monitoring of stats for each worker
Adjustment of worker params
lbset
load factor
route
enabled / disabled
...

Embedded Admin
Allows for real-time
Addition of new workers/nodes
Change of LB methods
Can be persistent!
More RESTful
Can be CLI-driven

Easy setup
<Location /balancer-manager>
SetHandler balancer-manager
Require 192.168.2.22
</Location>

Admin

server-status aware

Performance
From Bryan Call’s ApacheCon preso 
(http://www.slideshare.net/bryan_call/choosing-a-proxy-server-apachecon-2014)
•  Squid&used&the&most&
CPU&again&
•  NGiNX&had&latency&
issues&
•  ATS&most&throughput& 0&
500&
1000&
1500&
2000&
2500&
ATS& NGiNX& Squid& Varnish& hBpd&
RPS$/$CPU$Usage$
0&
5000&
10000&
15000&
20000&
25000&
30000&
Requests$Per$Second$
0&
5&
10&
15&
20&
25&
30&
35&
40&
Latency$
Median&
95th&

nginx vs Event (typical)
Apache - Event MPM
0
500
1000
1500
2000
nginx
0
500
1,000
1,500
2,000
Open Write Read Close
Increasing concurrency Increasing concurrency

Apache - Prefork MPM
0
500
1000
1500
2000
nginx vs Prefork (typical)
nginx
0
500
1,000
1,500
2,000
Open Write Read Close
Increasing concurrency Increasing concurrency

Total req/resp time
Comparison - total transaction (close)
0
500
1000
1500
2000
Prefork Worker Event nginx
Increasing concurrency

Resp to Req. Bursts - httperf
100 ---> 20000
0.00
1.75
3.50
5.25
7.00
min avg max dev min avg max dev min avg max dev min avg max dev min avg max dev min avg max dev
prefork worker event nginx
Increasing concurrency

Backend Status
Dynamic Health Checks !
TCP/IP Ping
OPTIONS
HEAD
GET
ProxyHCExpr ok234 {%{REQUEST_STATUS} =~ /^[234]/}
ProxyHCExpr gdown {%{REQUEST_STATUS} =~ /^[5]/}
ProxyHCExpr in_maint {hc('body') !~ /Under maintenance/}
<Proxy balancer://foo/>
BalancerMember http://www.example.com/ hcmethod=GET hcexpr=in_maint hcuri=/status.php
BalancerMember http://www2.example.com/ hcmethod=HEAD hcexpr=ok234 hcinterval=10
BalancerMember http://www3.example.com/ hcmethod=TCP hcinterval=250ms hcpasses=2 hcfails=3
BalancerMember http://www4.example.com/
</Proxy>
ProxyPass "/" “balancer://foo/"
ProxyPassReverse "/" “balancer://foo/"

What else is new?
Additional protocols
UWSGI, PROXY (HAproxy)
Improved caching
Redis and Memcache now mod_status aware
Apache Geode
FPM Improved. And fully PHP compliant.
Performance, of course!

What’s on the horizon?
Extend mod_proxy_express
Adding additional protocols as needed/desired
More dynamic configuration
Adding balancers!
Performance, of course!
mod_proxy_survey
protocolbuf
nanomsg

In conclusion...
For cloud environs and other, the performance and dynamic control of
Apache httpd 2.4 in reverse proxies is just what the Dr. ordered (and
flexibility remains a big strength)

Thanks
Twitter: @jimjag
Emails: 
jim@jaguNET.com 
jim@apache.org 
jimjag@gmail.com
http://www.slideshare.net/jimjag/
Apache Anniversary Beer Recipe (BeerSmith3 format):
http://home.apache.org/~jim/download/ApacheAnniversaryRoggenbier.bsmx

Reverse proxy magic

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Reverse proxy magic

Similar a Reverse proxy magic (20)

Más de Jim Jagielski

Más de Jim Jagielski (20)

Último

Último (20)

Reverse proxy magic